Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <5125327C.2060703@redhat.com>
Date: Wed, 20 Feb 2013 13:30:52 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: Tim <tim-security@...tinelchicken.org>
CC: oss-security@...ts.openwall.com
Subject: Re: RE: Handling CVEs for the XML entity expansion
 issues

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/20/2013 01:06 PM, Tim wrote:
> 
>> Docbook uses it quite a bit, e.g. each chapter is a file, then
>> you use external entities to put them all together, also for
>> graphics/etc. Breaking Docbook would make me a sad panda.
> 
> Well sure, some minority of apps will break.  Libraries release
> notes merely need to say "next version breaks backward
> compatibility for apps that use entities and inline DTDs.  If your
> app uses these, explicitly enable with ..."  Once again, "off by
> default", not removed.

Yeah I'm pretty sure that's a less than ideal solution. Less ideal in
the sense of "breaking a whole bunch of customer software without much
warning, some of which is probably closed source and can't be modified
so that it works with these new "improved" xml libraries" is not the
way to go. So that's not gonna happen for most major Linux vendors (in
other words we'll have to find better ways to fix this).

Like Linus says, we can't just start breaking things. That's not how
you fix things.

>> I tend to agree, however for the billion laughs/linear attack
>> that can be somewhat addressed, libxml for example addressed it
>> by stopping all non linear expansion a few years ago, so while
>> still vulnerable they are less vulnerable.
> 
> Yes, but this is by far the least interesting attack scenario for
> most XML libraries.  Since libxml2 is pretty limited in it's
> entities support and network capabilities to begin with, it isn't
> as interesting of a case for XXE generally.  However, other
> libraries leverage many platform network capabilities that make for
> some much more interesting attacks.
> 
> tim
> 


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRJTJ8AAoJEBYNRVNeJnmToUkQAMiGDsOlh2iP/a7JfqADtoJD
ZXKu2WZn7bl0B7pAL2oRwKN7rajgBCYpj7NGa3dPhT0q1HewR3m5Sz+ITSOCCSYt
BMfk6IKh/Tq26rcxcjBDjS6tlXCW3qr0gej+5DhUZ7v51IPmP17PEVFOETCBG0V0
/uL7eC/yWOtEPy+ckY9F95AMqfOVqeHWteFek2BZCTZZBiXa+7pLelTWaggzP2JS
n2J9fdQqXQfiOpajB63JSNj+E5tvLLIHwjniLyW5WuLoMvJ/bSiWm58VYJUzm5Nu
YkV8++fsHV6Y2Am6pzKkkXg42v9PULrlmgbETUYqbvj4xzFnt+3w3GJuFY6I9Gqr
HoobjtuXCa+NmAihJ//orJk5oi90pOOoU4eqLivHWqTM+4+wR6f6p/Hn4RroL1pq
M75KrzAiXhphQ+yyrTeGYYFRWbNCjXm0yvmeU+X1+kFCgPKN32ecSlPbiW9jdDM0
p6UnCff/8mha54oFgaX356f+6cvXMjFki66pDWFFpuCEpZZ/7p0Z8geWP2OcmpdS
TwcF3qNYwxtNm8PSg1cei7a053xYnkT3eoHpETVlDzv2oB8Edg41AOp74T2OkAqZ
4CybIbDQtVwG0GZHWAReM83YX4EaiLWTIwOkhb/ld8kyEElT6sIh/b4ILZAm4O+O
PYSRsPw9DW2x//mgcb2k
=Nl21
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.